Click here to Skip to main content
Click here to Skip to main content

Single sign-on across multiple applications in ASP.NET

, 31 Mar 2004
Rate this:
Please Sign up or sign in to vote.
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.

Introduction

I prefer to use the Forms authentication for most of my applications. And most of my projects consist of a few relatively independent parts running on subdomains of the main domain. It would be nice to have single sign-on, so if you are logged on at www.example.com, you would be recognized also at everything.example.com.

Forms authentication by default does not support this feature, but is not too complicated to tweak it the appropriate way.

Behind the Forms authentication

Technology behind the Forms authentication is simple: it would create a cookie of defined name (attribute name of forms attribute in web.config). The cookie would contain encrypted authentication data.

To protect user's privacy and for security reasons, you can only read cookies that you wrote. They're associated with server hostname by default. But the cookie standard supports making cookies accessible for entire domain in which the server lies. It means that from server1.example.com, you can work with cookies for both server1.example.com and example.com.

You can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.uk", but can for "example.com" or "example.co.uk".

So, only what you need is to make authentication cookies domain-wide.

Setting it up

You must setup authentication in system.web section of your web.config file as usual, for example:

<authentication mode="Forms">
  <forms name=".EXAMPLE-AUTH" loginUrl="/Login.aspx" 
               protection="All" timeout="30" path="/" />
</authentication>

As I said before, the authentication cookie is encrypted. By default, encryption key is generated automatically. But if you need more servers to cooperate, you need to have the keys same on both servers. This can be done by adding the following to system.web section of web.config:

<machineKey
  validationKey="BD52058A3DEA473EA99F29418689528A494DF2B00054BB7C" 
  decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885" 
/>

The values of validation and decryption key should be 16 (for DES) or 48 (for TripleDES) characters long hexadecimal numbers.

Signing on

You must modify the authentication cookie before sending it to the client, by specifying your domain name. The code can be as follows (assumes that user has been authenticated and his name is stored in string variable UserName):

Dim C As System.Web.HttpCookie = _
         System.Web.Security.FormsAuthentication.GetAuthCookie(UserName, False)
C.Domain = "example.com"
Response.AppendCookie(C)
Response.Redirect(System.Web.Security.FormsAuthentication.GetRedirectUrl(UserName, 
                                                                           False))

Signing off

Usually, there is no need to make something special to sign the user off - just call System.Web.Security.FormsAuthentication.SignOut(). But not in this case - the SignOut() method is unable to deal with domain-wide cookies.

You need to delete the cookie manually. And the only way to delete a cookie is to set its expiration date to past. You may do it using the following code:

Dim C As System.Web.HttpCookie = _
         Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Expires = DateTime.Now.AddDays(-1)
Response.Cookies.Add(C)

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Michal Altair Valášek
Software Developer Altairis
Czech Republic Czech Republic

Software architect and developer in Altairis, dev shop in Czech republic. Microsoft Most Valuable Professional (MVP) since 2004.

See my open source project at Codeplex.


Comments and Discussions

 
Questionasp.net sso Pinmemberwissamtannous2-Oct-13 23:23 
GeneralThanks Pinmemberdebayan nanda23-Apr-11 10:32 
GeneralSSO in ASP.NET to view SAP IView PinmemberNetweb9-Nov-09 3:37 
GeneralCookies Across Domains Pinmembermohit232320-Apr-08 2:26 
GeneralFacing problem with Domain and subdomain PinmemberJavad Mehmood26-Dec-07 9:37 
GeneralRe: Facing problem with Domain and subdomain PinmemberPranjaliBhide13-Aug-08 4:18 
Questionon different domains? Pinmemberdagarwal827-Nov-06 21:24 
GeneralLogging out not working. PinmemberNigel Liefrink 221-Aug-06 21:39 
Hi, Tried your code for logging out, but it wasn't working.
 
I managed to get it working by not using the expiry date but setting the value of the cookie like this:
 
Dim C As System.Web.HttpCookie = _
         Request.Cookies(System.Web.Security.FormsAuthentication.FormsCookieName)
C.Domain = "example.com"
C.Value = ""
Response.Cookies.Add(C)

 
Nigel Liefrink.

GeneralProblem when is not persistant PinmemberLordfkiller15-Mar-06 10:11 
GeneralRe: Problem when is not persistant PinmemberLordfkiller16-Mar-06 2:35 
Questionlocalhost Pinmemberxgnitesh9-Feb-06 6:45 
AnswerRe: localhost Pinmemberdavidhart4-Sep-07 7:57 
QuestionRe: localhost PinmemberOfir-z1-Aug-08 6:37 
AnswerRe: localhost PinmemberOfir-z1-Aug-08 6:44 
GeneralTIcket pass Worked in ASP 1.1 but not in 2.0.. PinmemberPchao25-Dec-05 17:21 
GeneralRe: TIcket pass Worked in ASP 1.1 but not in 2.0.. Pinmembermrbikejoc7-Feb-08 15:52 
GeneralPls highlight the importance of &lt;machineKey&gt; PinsussAnonymous20-Oct-05 10:17 
GeneralCannot logout PinmemberJong-Hyun9-May-05 12:06 
GeneralJOSSO Single Sign-On supports ASP PinsussAnonymous8-Mar-05 3:50 
GeneralRe: JOSSO Single Sign-On supports ASP Pinmemberayurhdfkl1-Aug-07 1:02 
Questioniframe and form authentication? Pinmembernorm18-Feb-05 21:08 
GeneralSingle sign on within sub domain PinsussGurumoorthi Kumar2-Jan-05 19:09 
GeneralRe: Single sign on within sub domain PinmemberDevDude26-Jan-06 12:35 
GeneralA better way PinsussAnonymous23-Dec-04 9:39 
GeneralRe: A better way PinmemberMichal Altair Valasek23-Dec-04 10:54 
GeneralSSO Across Domains PinsussChecking14-Oct-04 10:31 
GeneralRe: SSO Across Domains PinmemberMichal Altair Valasek14-Oct-04 13:39 
GeneralASP Pinmembermatzy24-Sep-04 8:01 
GeneralRe: ASP Pinmembermatzy11-Nov-04 5:47 
GeneralNot working for me PinmemberDave Wengier31-Aug-04 13:57 
GeneralRe: Not working for me PinmemberDave Wengier1-Sep-04 13:29 
GeneralRe: Not working for me Pinmembernorm18-Feb-05 21:10 
QuestionHow to deal with the SSO on different top domains? Pinmemberrazor.sdb.cnic.cn23-Aug-04 19:31 
AnswerRe: How to deal with the SSO on different top domains? PinmemberMichal Altair Valasek27-Aug-04 1:45 
GeneralRe: How to deal with the SSO on different top domains? PinmemberSelArom30-Sep-07 15:11 
AnswerRe: How to deal with the SSO on different top domains? PinmemberMikeSc3-Oct-06 5:59 
GeneralAuthentication problem PinmemberRichardAOC23-Aug-04 7:41 
GeneralRe: Authentication problem PinmemberMichal Altair Valasek23-Aug-04 7:46 
GeneralRe: Authentication problem PinmemberRichardAOC24-Aug-04 7:33 
GeneralRe: Authentication problem Pinmembermcpasd7-Nov-05 0:31 
GeneralRe: Authentication problem PinmemberRichardAOC7-Nov-05 6:15 
GeneralTypeKey authentication in ASP.Net Pinmemberdumky15-Jun-04 8:43 
GeneralRedirect not working Pinsussdougrutledge26-May-04 8:00 
GeneralAlways creates the New Session ID PinmemberAcceptMyName10-May-04 13:13 
GeneralRe: Always creates the New Session ID PinmemberMichal Altair Valasek10-May-04 20:21 
GeneralIt doesn't work to me also Pinmemberjuanchosc10-May-04 2:19 
GeneralRe: It doesn't work to me also PinmemberMichal Altair Valasek10-May-04 9:18 
Generaldoesn't work Pinmembermargiex26-Apr-04 19:57 
GeneralRe: doesn't work PinmemberMichal Altair Valasek10-May-04 9:19 
GeneralWarnings about netscape PinmemberPhallGuy6-Apr-04 13:48 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.141216.1 | Last Updated 1 Apr 2004
Article Copyright 2004 by Michal Altair Valášek
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid